Start of new case 


Q1 


Q2 


Does the draft guidance cover the relevant issues about the right of access? 
O) Yes 

© No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


Data subjects can issue SARs simply to be malicious resulting in huge cost to the organisation due to the 
time and effort required to process these requests. Also, data subjects can request info that has already 
been provided to them - they can then request this info again - these requests cost the organisation 
money to process. The SAR process should allow companies to charge to process SARs where the data 
subject has been sent the information previously. For example employment documentation [contracts, 
time-sheets, payslips....] - where the employee has been sent this info the company should be allowed to 
charge for this or reject the response. Also, where a company reasonable suspects that a request is 
purely malicious - designed to cuase harm to to the company the company should be able to reject the 
request or charge a fee. Where the data subject simply requests all the data a company holds about 
them the company should be allowed to request further information to reduce the effort required. There 
is an imbalance between the data subject that can simply say 'send me everything’ which takes a few 
seconds and costs them nothing - and then the response from the company that can take many hours 
and involve huge costs. This imbalance leads to malicious requests.... Regulations should allow a 
company to reject malicious SARs designed to extract compensation - data subjects are increasingly 
aware that sending a SAR to a company will result in significant time and effort for the company. There 


Does the draft guidance contain the right level of detail? 
O) Yes 
© No 
(`) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


see above 


Q3 


Does the draft guidance contain enough examples? 
() Yes 

© No 

C) Unsure / don't know 

If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 

see above 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 
unfounded or excessive’ subject access requests. We would like to include a wide 
range of examples 
from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 
requests below (if applicable). 


see prev 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1-Notatall 2-—Slightly Moderately 4-Very 5- Extremely 
useful useful useful useful useful 


© 


Q6 Why have you given this score? 
doesn't reflect real life situations. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


© 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


lacks detail 


Q9 Are you answering as: 


ey An individual acting in a private capacity (eg someone providing their views as a 
— member of the public) 


© An individual acting in a professional capacity 
©.) On behalf of an organisation 

©) Other 

Please specify the name of your organisation: 
optindigo 


Q10 How did you find out about this survey? 
©) ICO Twitter account 
©) ICO Facebook account 
©) ICO LinkedIn account 
(C) ICO website 
© ICO newsletter 
~) ICO staff member 
|) Colleague 
©) Personal/work Twitter account 
() Personal/work Facebook account 
©) Personal/work LinkedIn account 
©) Other 


Thank you for taking the time to complete the survey 


